Request Demo

Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to compliment we have to acknowledge that there is a distinct difference between the modular GRC products and IRM solutions. However, what we saw before, during, and after the RSA Conference is the GRC solutions calling themselves IRM solutions with little or no product changes. IRM technology represents a fundamental change to the approach to the product and is not simply a problem for the marketing team.

As we've said, in enterprise organizations, there is room for both but we believe that customers of these GRC platforms as well as those considering becoming customers, need to know the distinction and how to spot the false premises that GRC is telling the market. In this second post from this series on the lies that GRC is telling you we'll dive into the first lie: good things come but only to those who wait.

Good things come to those who wait: There’s a direct correlation between time to implement and amount of value

Every technology company has had to debate between developing high-value configuration, or allowing for heavy customer-facing customization when building a product. Many in the GRC space opted to have users customize whatever they want with intricate linkages between assets, controls, risks, scoring mechanisms, and business processes. More customization options were added over the years, so much so that even those who bought described implementation as something that you must “know what you’re getting into”.

We’ve read through every Gartner and Forrester report, every review from those using legacy GRC for their security program, and spoke to our partner, Gartner, and other analyst firms about the subject. The consensus is that it takes at least 3 months, if not more, to simply implement the technology after buying it. Most of the time, these jobs are completed by a third party instead of the organization itself or the vendor. The more popular industry leaders average a 6-12 month, and some even 12+ months, implementation time in order to be used by the customer.

When GRC buyers choose a product that is supposed to make their cybersecurity program more efficient and effective, they shouldn't have to wait months to use it. As mentioned before, legacy GRC serves a purpose, but getting immediate time-to-value is not a common thread among these players. In the era of emerging integrated risk management, information security organizations should be able to access and utilize intricate linkages between assets, controls, risks, scoring mechanisms, and business processes without heavy customization-- instead, making as many of these functionalities out-of-the-box as possible, with agile customer-facing configuration, is the means to the fastest time-to-value in the future state of integrated risk management. A longer implementation time does not equate to more value, as the future of GRC (IRM) is leaning towards more rapidly deployed capabilities that bring just as much, if not more.

The Sunk Cost Fallacy Of GRC

Project managers are no strangers to the sunk cost fallacy - the idea that an activity, project, or product is valued at the amount of resources invested even if it is not worth that investment. In the case of risk and compliance solutions, GRC blogs have cultivated the idea that an astronomical price tag and an average implementation time of six months increases the value of the product itself. It doesn't. In a time when artificial intelligence and machine learning powered products configure themselves out of the box (in ways that would push the upper echelons of the GRC implementation time we've seen thus far), the idea of a long time to value is only hurting CISO's and their teams.

 

This post is part two of CyberSaint's series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals.

Read the full report on the Three Lies That GRC Is Telling You here.

You may also like

5 Things You Won't Miss About Risk ...
on February 20, 2020

Making the shift to a new platform is a daunting task. At its core, it is an investment in the future of your cybersecurity program. In order to decide to make the shift, it is ...

How to Know You Meet NERC CIP ...
on February 18, 2020

North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) is the presiding set of standards that govern our Bulk Electric System (BES) and ...

Risk-Based Cybersecurity ...
on February 12, 2020

An IRM Approach to Compliance In recent history, cybersecurity regulation and the possibility of fines resulting from non-compliance has driven action on the part of CIO’s, ...

How to Report on NERC CIP Standards
on February 5, 2020

Federal Energy Regulatory Commission (FERC) is the governing body in charge of monitoring and enforcing regulations put forth by the North American Energy Reliability Corporation ...

What is NERC CIP
on February 12, 2020

Energy and Utility companies play a critical role in the United States’ national security. That’s largely in part because these responsible entities are strictly maintained and ...

The Definitive List of the ...
on November 25, 2019

Why Integrated Risk Management While organizations and business leaders have been trained to manage risks, cyber risk appears to be a completely different category. With more ...